Security |
Invantive Cloud exchanges data with back-end systems of Invantive. This data can have a sensitive nature, which a user doesn't want to be known either to other users or in the public. We have generally classified the information at the same level as data under GDPR. A number of security measures are being enforced based upon this classification.
Invantive provides this text as a help. When your organization must meet legal requirements regarding security, your organization itself is responsible for establishing and verifying the application of your information security policy. Invantive does not provide any security guarantees beyond "reasonable effort".
This section provides some insight in the security measures taken. More details are conditionally available, for instance for security audits. Costs as well as a non-disclosure agreement are part of such disclosure.
Authentication
Authentication to Invantive Cloud requires a log on code and password. The password must meet a number of constraints like a minimum length and inclusion of special character categories. Such a password is a piece of knowledge that is to be kept personal.
Additionally, almost all features of Invantive Cloud require a second authentication step using a so-called Multi-Factor Authentication verification code (also known as "MFA verification code" or "TOTP verification code"). The verification code is generated using a secret that is shared with you at most once using a QR code and the secret key in plain text. This QR code should be registered/scanned using a different device than used to log on, for instance an iPhone with Google Authenticator or Microsoft Authenticator. This secret is considered a "possession" once stored in a phone.
Function Authorization
A user in Invantive Cloud can be associated to exactly one organization. License coordinators on Invantive subscriptions are automatically registered in Invantive Cloud with their organization.
The number of functions available to a user of Invantive Cloud solely depends whether the user is associated with a party. Only limited functions are available when the user is not yet associated with an organization.
Data Authorization
Invantive Cloud uses label security to protect data. A user in Invantive Cloud can have a number of security labels, which are determined automatically based upon properties of the user account. Each data element has a number of labels associated which enable access to the data element. When a user has one of these labels, the data element is made available. In all other cases, the data element is invisible.
For most users which are a member of an organization, this policy ensures that they can only see and change data of their own organization.
Geo Block
Access to most Invantive services is only available from designated locations across the world. This includes all countries that are member of the European Union, United Kingdom and the United States. We additionally block usage from locations within these countries which enable access from normally blocked locations.
Audit Trail
Invantive Cloud has a number of audit features which are registered outside the web environment to reduce the possibilities for manipulation by fraudulent users.
Highly Sensitive Data Encryption
Highly sensitive data such as organization's passwords and refresh tokens are stored in another separate environment ("vault") using reversible encryption. The encryption mechanism is different per organization. The separate environment decrypts the highly sensitive data when necessary. By preference, the unencrypted data does not leave the separate environment to enter Invantive Cloud.
Explicitly not stored in an encrypted format are:
•log on codes.
•name, email address and other address information of users.
•name, email address and other address information of organizations.
•license keys.
Cloud Database Data Encryption
When retrieving data from your cloud databases, the data will pass our servers in memory in an unencrypted format. When stored at rest, a number of measures have been taken to ensure the data rests in an encrypted format.